[ar:Willa Cassandra Riggins(abyssknight)]
[al:Def Con 24 Hacking Conference]
[ti:Esoteric Exfiltration]
[au:Willa Cassandra Riggins(abyssknight)]
[by: DEF CON Communications (https://www.defcon.org)]
[00:00:00.23]
>> So if you are in here it is
the Esoteric Exfiltration talk,
if you are looking for the other
[00:00:04.20]
one it's probably in a different
room. So, uhm... this is me I'm
Willa Riggins. Uhm, I am a
[00:00:11.03]
senior penetration tester from
Veracode, a member of the
FamiLAB hackerspace down in
[00:00:15.73]
Orlando, uh... I'm the DC407
point of contact... I just, I do
a lot of things - OWASP and
[00:00:20.73]
[00:00:23.00]
BSides. Uhm,but really if you
look at my twitter I just
retweet cats. [laughter] That's
[00:00:28.80]
really all I do. So exfil101 -
how many of you are familiar
with exfiltration at all?
[00:00:34.93]
Anybody in the room? Awesome! So
it's the know-it-all crowd. So,
for those who aren't in the know
[00:00:39.93]
[00:00:42.10]
- data exfiltration is the
unauthorised transfer of
sensitive information from a
[00:00:45.70]
target's network to a location
that the threat actor controls.
Now that's from a Trandmicro
[00:00:50.63]
article. But, basically, that,
lie, "threat actor control" is
kind of our wishy-washy term
[00:00:55.63]
[00:00:57.80]
here - uhm, what is that? It can
be their server, their social
media account, it could be their
[00:01:03.63]
dropbox, could be anything,
right? So why do you care? Uhm,
data loss costs you money and
[00:01:10.40]
your sanity. If anybody's ever
work incident response, it sucks
when you loose stuff. Uhm, if
[00:01:17.13]
you've ever found creds on
Pastebin, that had your name in
it, that suscks! So anyway, back
[00:01:22.13]
[00:01:25.67]
in 2012, Reddit Netsec - anyone
follow Netsec on Reddit? Yes! So
I did a survey back in 2012 and
[00:01:30.67]
[00:01:34.90]
82% of the folks who replied
said "Hey, this stuff is
important." Uhm, you know, "It
[00:01:39.90]
[00:01:41.90]
means a lot to us and our
networks and our money and our
companies". Uhm, so, let's talk
[00:01:47.70]
a little bit about covert
channels and where to find them,
and this is kind of where the
[00:01:52.53]
meat of the talk is going to be
cause I've done all the stuff,
I've done the research, I've
[00:01:57.40]
gotten caught... Uhm and the
getting caught stuff is the most
exciting part because then you
[00:02:02.93]
learn how not to do that. Uhm,
so, the first thing is mask your
traffic with normal usage
[00:02:09.07]
patterns - so if you know a
company uses, you know, social
media or they're on webtraffic,
[00:02:14.83]
or they're using protocols for
their everyday business like FTP
or like, uhm, you know, everyone
[00:02:19.80]
uses HTTP or HTTPS. Uhm, some
folks have RDP open. Uhm, just
knowing that stuff is really
[00:02:24.80]
[00:02:26.90]
important cause then you can
kind of build a model of "What
does a normal employees traffic
[00:02:30.90]
look like, and how can I look
like that?" Uhm, hide data in
known safe payloads, so don't
[00:02:36.83]
save. Uhm, status updates to
Facebook or Twitter, that kind
of stuff looks innocuous, right?
[00:02:41.83]
[00:02:45.10]
You probably post five tweets
every minute, that's you know,
that's a lot of data - that's
[00:02:49.37]
140 characters times five, uh,
not a huge amount of through put
there but it's still cool, like,
[00:02:55.07]
you could do something with
that. Uhm, say with HTTP post,
how many ASP.net devs do we have
[00:03:00.07]
[00:03:03.63]
in the room? [chatter]
[laughter] How many of you hate
the view state because it's 2Mb?
[00:03:07.50]
Yea, that's 2Mb of data that you
can send out and, you know, no
one's going to notice it - it's
[00:03:13.10]
just gone. Encoded base 64 it,
like viewstate, put it in a form
and just submit it to whatever
[00:03:18.87]
web server. Uhm, that's a "meg",
you know, every single request
it's gone. Uhm, the other thing
[00:03:25.50]
is stay quiet, you know, stay
within the normal payload size
like that 2Mb viewstate, don't
[00:03:30.00]
try and upload 36gb to
twitter... Don't! [laughter]
I've... We've done this, uhm,
[00:03:37.00]
it's not fun, don't try to do
that - you'll get rate limited,
people will be like "What the
[00:03:41.43]
hell is this, like, why are
there all these tweets with
random data in it?" Uhm,
[00:03:45.53]
Facebook will probably get
really angry if I did that Uhm,
it's important to realize that
[00:03:51.47]
not only are you going to get
caught by other people seeing
that you're posting all this
[00:03:55.33]
crap, but also it's going to
throw a flag on whatever egress
is there, so If there's a
[00:03:59.97]
firewall or an out-firewall
they're gonna see a spike in
traffic and go "What is that?
[00:04:04.30]
What device did that come from?"
And that's, that's one way
you're definitely gonna get
[00:04:08.87]
caught, if you send 36GBs of
data over one channel from one
device all at the same time. So
[00:04:15.30]
yea, definitely stay quiet and
set your payload sizes based on
what the channel is - so Twitter
[00:04:20.27]
obviously is a 140 characters,
uhm, you're kinda limited there;
DNS is even smaller, DNS as an
[00:04:26.80]
exfill method kinda sucks.
Facebook gives you a lot more
leeway but, uhm, you know,
[00:04:33.50]
there's a lot of management
involved with that, but we'll
talk about that a little bit
[00:04:36.73]
later. Encoding and encrypting
your data, so, depending on who
you're doing this for and why
[00:04:41.57]
you're doing this, you might not
want people to know that you
stole that data, right? You
[00:04:45.90]
don't want them to know, you
don't want them to Google and be
like "Why is my name in this
[00:04:49.70]
weird twitter stream of binary
data? why is it in there?".
Cause they'll trace it back,
[00:04:54.77]
figure it out, contact Twitter
which will take a long time,
they'll get back and they'll be
[00:04:58.63]
like "Oh, it's this device
that's uploading all this crap
from your server" - you just
[00:05:02.17]
[00:05:04.30]
want to make sure that people
can't find it. There's a really
cool tool called "Cloakify", by
[00:05:07.83]
one of our other attendees who
might be here... Uhm, that
basically does DLP avoidance.
[00:05:12.87]
That's a really cool thing that,
uhm, you can use that to kind of
transform the data before you
[00:05:18.27]
send it out. So... So we talked
about transport, right? We
talked a little bit about why
[00:05:24.77]
you do the things the way you do
them, but let's talk about
specific examples. So, on the
[00:05:30.67]
transport layer, you know, you
have network protocols we can do
point-to-point stuff with HTTP;
[00:05:35.40]
we can do Tellnet, Netcal, all
that stuff. Third-party drops
like Dropbox or putting it on
[00:05:42.27]
Facebook or anything like that,
that's kind of taking the threat
actor control to a third party
[00:05:48.27]
and then getting it relayed down
to another, you know, device.
So,those are cool cause, it's...
[00:05:53.30]
it's kinda like a deaddrop. Then
going to the airwaves, which is
something that I really wanted
[00:05:56.97]
to show off today, but I am a
terrible...like, I didn't
sacrifice enough things to the
[00:06:01.40]
demo gods and my demo....
doesn't work, and then the
radios I brought, don't work,
[00:06:07.37]
so... Uhm I will be having to
contact Sparkphone and figure
out what to do there... So,
[00:06:13.93]
network protocols, the obvious
stuff, HTTP, SSH, NetCat - I
mean, if you can get out with
[00:06:18.93]
[00:06:21.20]
that stuff by all means use it,
like, that's the easiest low
hanging fruit. You're gonna get
[00:06:25.13]
out, that's fine, and by the
time anyone notices that you did
what you did, as long as you've
[00:06:29.00]
throttled it and hid it like
you're supposed to, no one's
gonna notice. Uhm, you can get
[00:06:33.10]
all this stuff out. Now if you
have a company with a really
awesome sock, who, uh, is going
[00:06:38.33]
to bust you within like ten
minutes of you doing the thing
that you did - maybe you should
[00:06:43.33]
hide in something else like we
talked a little bit about RTP -
if that's a normal part of your
[00:06:48.17]
business, you know, RTP into
another machine; map the drive
and exfill data that way. It's
[00:06:53.30]
super easy, you don't need a
tool to do it, uhm... and no
one's gonna really notice until
[00:06:58.40]
later when they're like "Why is
this RTP session using so much
data?" Uhm, so, that's sorta
[00:07:04.10]
stuff is really interesting.
There's some other stuff where,
like, uhm.. If they use a
[00:07:07.50]
specific proprietary protocol, I
won't name any, uhm.. but you
can basically hide data in that
[00:07:14.40]
by munging the protocol so if
there's a request that, like,
list files or something you
[00:07:21.10]
could make it so that instead of
listing a directory it lists,
uhm.. a page 64 of the data
[00:07:26.10]
you're "exfilling". You could do
some really cool stuff with
that. Uhm, so that's kind of the
[00:07:30.53]
discrete way of doing that data
on the wire stuff. Uh,
third-party drops... Uhm...
[00:07:35.60]
Obvious stuff is any
file-sharing service that will
let you upload the size of data
[00:07:39.53]
that you have. Uhm.. again you
probably wanna throttle it, uhm,
and these are typically blocked
[00:07:45.80]
at same proxy level or an egress
firewall. Like if these are
available to you, yea....
[00:07:51.27]
that's.. that's like "Exfils
done, we don't need... we have
another problem, right?" Uhm,
[00:07:56.63]
but Pastebin - how many of you
have Pastebin at work? Can you
get Pastebin ? See... yea...
[00:08:02.50]
that's not a lot of hands -
that's awesome! So, we've
blocked Pastebin ... [laughter]
[00:08:07.50]
What else is out there that you
could use? There's like twelve
other services that you could
[00:08:10.77]
use that do exactly the same
thing and they're probably
unblocked, right? So doing it
[00:08:16.17]
discretely, right, we can use
Flicker imager and do staggo;
put it inside a picture of a
[00:08:20.77]
squirrel - done that, that's
awesome! [laughter] Uhm, those
two services in particular will
[00:08:25.50]
let you upload things that are
completely losless - so you can
upload it and you can download
[00:08:29.70]
it and all your stagnant data is
there. Uhm, there's simple
Python libraries that do all
[00:08:34.10]
that stuff, uhm, the APIs change
constantly but if you keep up
with it, I mean, you can exfill
[00:08:39.57]
data that way; and when it goes
out the firewall it looks like
you're uploading squirrel
[00:08:43.13]
pictures which is super weird
but nobody's ever gonna ask you
"Why?". [laughter and chatter]
[00:08:49.73]
So, Twitter and Facebook, I put
Twitter in the same category as
DNS - I kinda hate it as an
[00:08:55.87]
exfill method cause a 140
characters is just too slow.
Uhm, and by the time you get any
[00:09:01.10]
meaningful amount of data out
that wall, uhm... I mean, you're
gonna have to recompile it and
[00:09:07.23]
get it all down and it's just no
fun. Uhm, Facebook though...
Facebook has this really cool
[00:09:12.20]
thing called "Groups". Anybody
in a Facebook group? Where's the
moms in the room?... Cause I'm
[00:09:17.17]
in like twelve. [laughter] Okay.
So Facebook groups let you
upload files and it is in the
[00:09:22.80]
API to actually let you upload
files in Facebook groups. So I
create a fake Facebook account;
[00:09:28.43]
I create a fake group with just
me in it and then I upload a
bunch of files. Uhm, you can
[00:09:33.23]
totally do that, right? And most
of you at work Facebook''s
unlocked, I know the army does
[00:09:38.27]
that, I know a lot of the DOD
companies do that because it's
required for business - in
[00:09:43.70]
theory. Uhm, so you can't block
Facebook, you can't block
Twitter, can't block all these
[00:09:48.50]
services that "I HAVE to use for
business; so I'll abuse them and
exfill data". It's cool. So
[00:09:53.50]
[00:09:57.37]
kinda getting past that and
doing the airwaves stuff. Uhm...
[pause] A lot of folks think of
[00:10:03.50]
this in the tempest realm,
right? We talk about, you know,
you have a room with a faraday
[00:10:07.17]
cage on it, you're not gonna get
anything out of that room. We've
seen talks where they've done
[00:10:10.63]
like fans where you spin the fan
at the right oscillation - you
can exfil data that way. I don't
[00:10:16.07]
know anyone who has done that on
a pentest - has anybody actually
done that? Like tempest attacks
[00:10:20.97]
for exfil.. on a pentest where
you have two days of sleep and
you really don't have the time
[00:10:26.70]
to set that up? Yea, like you
can't do that - that's too much
effort for low return. But, what
[00:10:33.20]
if you had a device you could
just plug in? So a USB port,
onsite, you broke-and-entered
[00:10:38.17]
with your lock picks and your
little door tool and you
shimmied and you just plugged
[00:10:42.00]
the tool in the back of the
machine and that was it. No WiFi
antenna, no, like, HID-device
[00:10:46.37]
just a USB serial that you plug
in and all of a sudden you have
a remote connection. You could
[00:10:51.37]
[00:10:54.87]
do a lot with that, uhm, you
could write code and do all
kinds of fun stuff; or you could
[00:10:58.97]
just stream data over it, uhm,
serial out. Uhm... and the XP
radius that I have are like
[00:11:05.20]
28mile range, they do mesh, uhm,
I have them in my hotel room if
anyone wants to see them I'll
[00:11:10.37]
bring them. Uhm, I just need
breakout boards that don't suck.
Uhm... but the cool thing with
[00:11:16.03]
that is you can build a mesh
network that went all the way up
"The Strip" and the chances of
[00:11:21.07]
anyone being able to triangulate
each and every node, by the time
you are done exfilling data, is
[00:11:26.00]
extremely low. Uhm, and these
things cost like... I think the
series that I'm using are like
[00:11:30.93]
70 bucks, you can get 1mile
range ones for like 40, so
they're kinda like throwaway
[00:11:36.43]
pentest devices - just strap it
to the back of a t-seed plug it
in, walk away. Uhm, hand radio
[00:11:41.43]
[00:11:43.73]
stuff, you could do APRS, right?
Any hands in the room? APRS
messaging? It's totally illegal
[00:11:48.73]
[00:11:50.73]
- don't do it! ...But you could
technically exfill over APRS,
right? [laughter] Cause it's
[00:11:56.43]
just text, it's just text data,
it's digital. Uhm, I could just
say "Hey, my truck is here, my
[00:12:01.37]
truck is here, my truck is in
Japan, my truck is here...".
Uhm, and you could use that to
[00:12:05.97]
exfill data, uhm, and the cool
thing with that one is that you
can repeat it with internet
[00:12:11.53]
repeaters and stuff like that -
you don't even have to be in the
country. Uhm, you could just
[00:12:15.30]
exfill like that. And then
lasers - how many people are
fans of lasers? So basically use
[00:12:20.30]
[00:12:22.40]
the laser mic techinique -
everybody knows what...
everybody don't know about the
[00:12:26.50]
laser mic thing? Hitting the
laser as the glass, you feel the
vibrations from the glass and
[00:12:31.80]
you read it digitally by
refelcting it off something. Do
that with data! Why not....
[00:12:36.50]
right? I mean, that stuff's
insane and totally out of the
scope of pentest but it sounds
[00:12:41.43]
really cool so let's put it
inside... [laughter] So all this
stuff is about attacking and
[00:12:46.97]
breaking stuff but, uhm, what
does Putin say about all this
stuff, right? What do you do?
[00:12:52.10]
You can't block Facebook, you
can't block Twitter, so what the
hell are you gonna do? So we can
[00:12:57.50]
block N-points, we can block
individual malware N-points, we
can block some stuff, uhm, by
[00:13:03.10]
URI or IP, right? So every time
I standup a fake service with
Pastebin code on it you block
[00:13:08.77]
it, fine, whatever. Uhm, I can
block egress at the firewall by
the port protocol or application
[00:13:14.90]
firewall or whatever, I can just
shut that down, whatever the
hell you're doing I'll just
[00:13:18.23]
block it. Uhm, you can try to
detect anomalies and payload
size so, you know, look at the
[00:13:23.80]
frequency, look at the "Hey, why
is this machine turning on at
three in the morning, going on
[00:13:27.77]
Facebook and uploading 6GB of
data, like, why is that
happening? It doesn't make any
[00:13:32.87]
sense." You can look for that
stuff and that's, that's cool.
Uhm, and you can block USB
[00:13:37.43]
devices by classic deice ID.
[pause] Now, none of that stuff
works, uhm... Unfortunately
[00:13:43.73]
blacklist just don't work, if
you've got a proxy at your
company - I won't name names -
[00:13:48.83]
but a lot of them, like, you can
standup a new websites,
categorize it, get it approved
[00:13:53.30]
through the proxy service and
it's good to go in 48hours. So,
you can standup your malicious
[00:13:59.07]
website, looks like a "My Little
Pony" fansite - which is awesome
- and then have, like, a
[00:14:03.70]
"/exfill" and just exfill data
to that. Like, just use your
Appache login to, just whatever,
[00:14:09.87]
doesn't matter, just stream data
out. People think you just
really like "My Little Pony"
[00:14:14.27]
and, you know, that's fine.
Please don't access that at
work, that's as far as the
[00:14:18.40]
conversation goes, cool! Uhm, we
can disrupt normal business if
we start blocking stuff, so
[00:14:23.87]
Facebook, Twitter, DropBox - a
lot of companies use that for,
you know, large file transfers
[00:14:28.80]
anyway but if they have to use
it I can use it. Uhm, and that's
kind of like Moxie Marlinspike
[00:14:35.77]
talks about the scope of choice
with Google and Facebook and
TIA, uh, and how you can't
[00:14:40.43]
really not use Facebook if you
wanna be friends with everyone,
right? So, the choice is then
[00:14:45.50]
"Do I interact with people or do
I, you know, just not
participate?" And that's what we
[00:14:50.37]
wanna force people to do as
attackers, is to decide between
making money and preventing my
[00:14:56.73]
exfill.. Uhm, and there's kind
of a balance there, uhm, and
it's for companies to kinda
[00:15:02.30]
figure out what's more risky. In
context this protocol were
difficult to automate, you
[00:15:07.83]
can... like you can do Deep
Packet Inspection - it's
awesome, right? DPI can do all
[00:15:12.40]
kinds of fun things but if it's
inside a squirrel picture and
steggoed and all this other
[00:15:16.90]
stuff, like, good luck telling
your system to do that. Uhm, you
might have the data in a pcap
[00:15:22.57]
somewhere, that's fine, but if
you're gonna take my forty
thousand squirrel pictures and
[00:15:28.17]
somehow decode them all you
should go play DefCon CTF...
[laughter] Uhm, USB device IDs,
[00:15:33.17]
[00:15:36.80]
those don't work, there's a lot
of manufacturers that are just
repeating the same ID for
[00:15:40.77]
whatever the hell that is. Uhm,
and it's.. each of those cost
money, so why would they pay for
[00:15:45.93]
a USB device ID for a crappy
mouse you bought down the
street? Like, they're not gonna
[00:15:50.93]
do that, so if you're trying to
block it by device ID it's just
not gonna work. So, weaponizing
[00:15:57.57]
squirrels, uhm, "Squirrel" is
the name of a tool, a tool
that's not, uhm, ready today
[00:16:02.57]
[00:16:05.23]
cause I suck at everything. It's
a Python 2.7 based application,
it will be MIT-licensed, uhm,
[00:16:11.77]
you will be able to download it;
do whatever you want with it,
uh.. munge it, take it apart,
[00:16:15.37]
uhm, steal code - I don't care,
like, the whole point is that
you'll be able to do exfill and
[00:16:20.50]
it'll be easy. So, it ex tense
will be a simple module-based
plugins so all you have to do is
[00:16:25.80]
write a little bit of the base
code, uh, for your module, for
your exfill channel, and all
[00:16:30.90]
the, like, taking the file and
chunking it up, all that's taken
care of. All of the login, all
[00:16:35.73]
of the... all the stuff you
don't wanna care about is done.
All you've got to do is write a
[00:16:40.00]
"send" and "receive". Uhm, and
so you can put this on the box
that you've poned, executed with
[00:16:45.93]
the CLI and exfill. That's it,
that's all you have to do. So
this is what it looks like when
[00:16:50.93]
[00:16:53.10]
you execute it. Uhm, right now
it just has a.. you can put the
file in the channel you wanna
[00:16:59.50]
use under the "Settings"
collection; and all the channels
are not committed to show what
[00:17:03.90]
the settings are. Uhm, like for
"Imager" which is one of the
examples I used, you can put in
[00:17:09.90]
the client-secret client ID and
then that's all you really need
for that one to exfill. So,
[00:17:14.27]
uhm... cool! And that's what the
tool, the module, looks like,
it's really hard to read on this
[00:17:21.03]
screen. So they told me that
this was a four by three
projector, uhm, but apparently
[00:17:26.63]
have tons more space. Uhm, but
if you can see that at all, uhm,
all the stuff is just metadata
[00:17:33.00]
saying "What the hell is this
thing? How big can my chunks be,
and, uh, what does it do?", and
[00:17:39.10]
the rest of it is just "Send"
and "Receive". And all you have
to do is write "Send" or
[00:17:41.20]
"Receive" and it'll work.
[pause] So, this is the URL that
the code will be available at
[00:17:46.20]
[00:17:50.70]
soon as I stop being sick and my
family stops, like, almost
dying. Uh... you will be able to
[00:17:56.07]
download the code at that URL,
obviously it's not available
today but... Uhm, closing stuff:
[00:18:02.43]
stuff I wanna do. Uhm,
additional modules, obviously,
uh... because the demo's not
[00:18:06.90]
done, it should work. [laughter]
Uhm, executable payload
generation with pi-installers,
[00:18:11.53]
so doing kind of an MSF-thivim
thing uh.. to a MSF-post mudule,
longer range hardware, get with
[00:18:17.97]
the Cloakify guy and shove that
stuff into my code; uh.. and
customized timing. All of these
[00:18:24.00]
are super awesome because
they've contributed in some way
to me actually getting this done
[00:18:28.37]
(slash) me being here. Uh,
Varacode especially... and
BSides, and DC407, and FamiLAB
[00:18:34.43]
and all those cool people. Uhm,
and thank you... That's kind of
the talk. [applause]
[00:18:39.43]